in packages/static-website/src/cloudfront-web-acl.ts [239:315]
private createAclCustomResource(
stack: Stack,
aclName: string,
onEventHandler: Function,
props?: CloudFrontWebAclProps
): CustomResource {
const providerFunctionName = `${onEventHandler.functionName}-Provider`;
const providerRole = new Role(this, "CloudfrontWebAclProviderRole", {
assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
inlinePolicies: {
logs: new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources: [
`arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${providerFunctionName}`,
`arn:aws:logs:${stack.region}:${stack.account}:log-group:/aws/lambda/${providerFunctionName}:*`,
],
}),
],
}),
},
});
const provider = new Provider(this, "CloudfrontAclProvider", {
onEventHandler,
role: providerRole,
providerFunctionName,
});
["AwsSolutions-IAM5", "AwsPrototyping-IAMNoWildcardPermissions"].forEach(
(RuleId) => {
NagSuppressions.addResourceSuppressions(
providerRole,
[
{
id: RuleId,
reason:
"Cloudwatch resources have been scoped down to the LogGroup level, however * is still needed as stream names are created just in time.",
},
],
true
);
}
);
["AwsSolutions-L1", "AwsPrototyping-LambdaLatestVersion"].forEach(
(RuleId) => {
NagSuppressions.addResourceSuppressions(
provider,
[
{
id: RuleId,
reason:
"Latest runtime cannot be configured. CDK will need to upgrade the Provider construct accordingly.",
},
],
true
);
}
);
return new CustomResource(this, "CFAclCustomResource", {
serviceToken: provider.serviceToken,
properties: {
ID: aclName,
MANAGED_RULES: props?.managedRules ?? [
{ vendor: "AWS", name: "AWSManagedRulesCommonRuleSet" },
],
CIDR_ALLOW_LIST: props?.cidrAllowList,
},
});
}